What is a data subject entitled to get?
What should a company do?
In this article, we will break down the concept of the right to data portability so you know everything to know about it, what is the right, how to comply, what data to give, possible sanctions and more.
Are you ready?
Let’s get started!
What is the right to data portability?
The right to data portability is a right granted by GDPR to individuals allowing them to request a copy of their personal data in a structured, commonly used and machine-readable format.
The objective of data portability is to ensure data subjects have the ability to take back their data and retain the services of another provider.
This right effectively reduces the level of control exerted by companies on individuals by reducing the level of dependency a data subject may have on the same organization.
Article 20 GDPR outlines the right to data portability as follows:
“The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
(b) the processing is carried out by automated means.”
When can a person exercise the right to data portability?
As we can see from the formulation of Article 20 GDPR, a person can exercise the right to portability in the following instances:
- When a company processes personal data based on the lawful basis of consent
- When a company processes personal data for the performance of a contract
- When a company processes personal data by automated means
If you consider the above options, the common thread is that the right to data portability applies to the information that the data subject had provided the organization.
In fact, GDPR states the right can be exercised when the data subject “has provided (personal data) to the controller”.
Preparing in advance
Providing a copy of the data subject’s data may be quite an extensive job.
It’s best practice to define the process of how to respond to a data subject’s data portability request before even a data subject makes the request.
When a company defines its data flow map, understands the type of data it processes and where the data is stored, it can better manage a data portability request.
What data can you give?
What data is proprietary?
What data was given by the data subject?
Are there legitimate reasons that we can refuse to give the data?
In advance, the company should think about the format in which it will give the data to the data subject so it can comply with GDPR.
Not preparing and having to figure out how to respond to a data portability request when an actual request comes it may lead to a company infringing GDPR.
What information should a company provide a data subject?
GDPR states that a company must provide personal information and when it was provided by the data subject.
Let’s look at each aspect of this requirement.
The first step is to validate that the information is personal information.
Personal information can be anything that allows the identification of the individual such as:
Personal information can also identify someone indirectly such as:
- Online search activities
- Website navigation history
- Traffic data
- Location data
- Raw data from smart objects
- Raw data from wearable devices
Pseudonymous data is data that remains personal data but has been ‘masked’ so the users or individuals using the data do not see who it may relate to.
Even though a user will not be able to tell who the data subject may be, a company has the ability to connect the pseudonymous data to a person based on their unique identifiers.
Pseudonymous data is subject to data portability rights.
What information can a company avoid giving a data subject?
In what cases can a company avoid having to give data to the data subject?
Let’s look at some scenarios.
If the company has processed data in such a way to create new data such as creating a profile or other commercial data, such new data will not be subjected to the data portability right.
The evaluation of the request must be done carefully.
If a company has used non-personal data in order to infer or derive data about a person, data portability right will not cover that data but an individual will nonetheless have the right to access the data.
Anonymous data is data that cannot be linked to an individual and cannot be reverse-engineered to link it to an individual like pseudonymous data.
As a result, anonymous data will not be subject to data portability right when a person cannot be identified.
Copy of personal data for the data subject
When exercising the portability right, individuals have the right to get a copy of their personal data in a structured, commonly used and machine-readable format.
This means that a company must ensure it transmits a copy of the personal data requested to the individual taking into consideration the technologies and systems available to an average data subject to read the data.
Some companies provide a tool or a system allowing the user to extract the needed data and access their own information at their own convenience.
Transmitting personal data to another controller
A data subject has the right to ask a company to transmit his or her personal data directly to another controller.
When it’s technically feasible
When such a request is made, companies should comply with it to the extent they are technically able to achieve the transmission.
Recital 68 of GDPR states:
“The data subject’s right to transmit or receive personal data concerning him or her should not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible.”
A company does not have an obligation to develop interoperable systems or assume excessive obligations to allow a data subject to transmit data directly to another controller.
If a company is reasonably able to transmit the data to another data controller without undue or excessive obligations, then it should do it.
An organization should not hinder a data subject’s right to request their personal data be transferred to another controller.
In other words, a company should not find obstacles or hurdles to justify its inability to act as such when it has the ability to do so.
When a company is unable to transmit the data to another controller, it must be for a justified cause or there must be legitimate reasons to support the company’s decision.
Secure transmission of data
The secure transmission of the data remains of the responsibility of the data controller.
If the data is compromised during the transmission process, the data controller will be directly held responsible for that.
A breach of security is a GDPR infringement and will trigger the obligations outlined in GDPR such as notification to the supervisory authorities, to the data subject and so on, depending on the nature of the risk to the data subject.
In what format should data be given to data subjects?
When a person exercises his or her right to data portability under GDPR, they must receive their data in a usable way.
GDPR defines this as:
- Commonly used
GDPR considers that data will be meaningfully usable when it is structured, in a format that is commonly used and able to be read by a machine.
This must be considered from the perspective of the data subject.
Companies should assess which format can be the most appropriate for a data subject to obtain a copy of their data.
Structured data format
A structured data format is one where the data is organized in such a way that any parts of it can be extracted and identified.
ICO of UK provides the example that data in a spreadsheet is considered structured data as the data is organized and parts of it can be extracted in a structured way.
Commonly used data format
A commonly used data format is one that is widely used or readily accessible to most individuals.
For example, providing documents in a PDF format can be considered a commonly used format.
Providing the same data in another format generated by a specialty software will not be considered as commonly used.
Machine-readable data format
Machine-readable data format means that the data must be able to be read by a computer.
ICO of UK gives an example that a machine-readable data format can be instances when an organization makes available the data through the web by means of an application programming interface (API).
At the end of the day, the format given to data subjects should be readable by a computer.
Data security and portability rights
When companies are asked to transmit personal data to another controller, data security and privacy should be of major consideration.
Data subjects should be informed as to the risks involved in directly transmitting from one company to the other.
The content of the data transmitted may be extremely sensitive.
The data subject would not want an insecure transmission to compromise their data.
Transparency and data portability
Companies should be mindful of their transparency obligation when dealing with data portability rights.
In most cases, companies may be able to provide some information and not others.
This makes the personal data sort of incomplete.
Companies have a legitimate interest to protect their trade secrets and operations and the data subjects have the right to get all their data.
In practice, it may not be as straightforward, however.
The more a company can be transparent in its privacy notice and notification to the data subject exercising his or her right to data portability, the better a company can comply with GDPR.
Interoperability of ported data
GDPR allows a data subject to request the transmission of his or her personal data directly to another controller.
This can be achieved to the extent the data format can be effectively used by the other company.
Interoperability can be achieved using Application Programming Interfaces (APIs).
A company does not have to go out of its way to create interoperability for the data subject when that effort can be significant or cause undue hardship on the company.
Can a company charge fees for data portability?
The rule is that a company cannot charge a fee to the data subject when exercising his or her rights under GDPR.
As a result, a company must comply with an individual’s request free of charge.
In some cases though, a company may have the option to demand fees to give act to a data portability request.
If a request is manifestly unfounded or excessive, a company can demand reasonable fees to cover its administration cost.
Administration cost is not defined under GDPR, so a company must consider the overall nature of the request and the effort required in porting the data of the individual or another organization to determine the cost on a case-by-case basis.
Companies should make sure they can justify their request for a fee.
If not, data subjects may argue that the company is obstructing their ability to exercise their right.
Can a company refuse a data portability request?
A company should comply with a data portability request when the data subject has exercised such right.
However, there is an exception that companies should be aware of.
Article 12(5) GDPR states that:
“where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or (b) refuse to act on the request”.
Based on this article, a data controller or data process has the right to refuse or reject a subject request provided it has the ability to demonstrate that the request is excessive or unfounded.
What is a manifestly unfounded request?
GDPR allows a data controller or data processor to either charge a fee or reject a data subject’s portability right when the request is manifestly unfounded.
The term ‘manifestly’ refers to a request that is obvious or leaves no doubt that it is unfounded.
Companies should carefully assess a subject access request before rejecting it to ensure that the request is indeed manifestly unfounded.
Here are some examples of manifestly unfounded requests:
- A person has filed a request to get monetary advantages from the company
- The person’s request clearly shows that the objective is to disrupt the company operations
- The request is a person’s way to attack an employee of your company
- The person’s request is malicious
- The person is using the SAR as a means to harass the organization
What is an excessive request?
A data subject request can also be excessive in nature justifying its rejection.
An excessive request is when a person’s demands are excessive in nature or repetitive.
Companies should carefully assess a request before qualifying it as an excessive request though.
The burden to demonstrate that a request was excessive is on the organization’s shoulder.
Here are some examples of an excessive request:
- Repeatedly requesting the same thing over and over
- The request overlaps with another request
- Submitting the same requests through multiple channels
What’s advisable is that a company assesses the request carefully before rejecting it.
It may be a good practice to reach out to the data subject in order to clarify the request or better scope the request in such a way to eliminate its excessive nature.
If a data subject is unaware of the excessive nature of the request, they may request information in good faith not knowing any better.
Granted, some other individuals may know exactly what they are doing.
Rather than rejecting a request outright, it may be worth considering the option to have the request clarified.
How to notify the data subject of the request being rejected?
A data controller or data processor has the obligation to respond to the data subject’s request within one month from the request.
If a company intends to fully or partially reject the data subject’s request, it must inform the data subject of its decision in writing within the required timeline.
The data subject must be informed as to why his or her request has been rejected, their right to make a complaint with the relevant supervisory authority and their right to take action before judicial courts.
Infringement of data subject’s right of access
Article 83 GDPR allows the supervisory authorities to issue administrative fines in the event of non-compliance or the infringement of GDPR.
Depending on the nature of the infringement, GDPR classifies it in two categories.
One category is for serious infringement to GDPR whereby the fines can reach the greater of €20,000,000 or 4% of a company’s global annual turnover.
The other category is for less serious infringement cases where fines can reach the greater of €10,000,000 or 2% of a company’s global annual turnover.
The violation of Article 20 GDPR having to do with the data subject’s right to portability is a serious breach under GDPR (Article 83(5)(a) GDPR) exposing a company to GDPR fines in the amount equal to the greater of €20,000,000 or 4% of a company’s global annual turnover.
In addition, failure to observe the Article 12 GDPR requirements with regards to providing a data subject with supplementary information in response to a data subject exercising his or her right to data portability is considered a serious breach of GDPR (Article 83(5)(b) GDPR) and as such will expose a company to fines in the amount representing the greater of €20,000,000 or 4% of a company’s global annual turnover.
Working Party’s guideline on data portability
For more resources and information on data portability, you can consult the Working Party’s guideline on data portability dated October 27, 2017.
You can download a version of this guideline here.